This article discusses a recent case where a federal appeals court ruled that employees who had their personal information accidentally emailed to other employees did not have standing to sue for data breach, unless they could show a concrete injury or a substantial risk of identity theft. The article also provides a three-part framework for how standing could be established in similar situations, based on the nature of the data, the exposure, and the misuse.
Link to article